diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2002-11-06 01:28:55 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2002-11-06 01:28:55 +0000 |
| commit | d618f703ec18f1012a096a110637f8769d1e6cb3 (patch) | |
| tree | 054791273f1148b8eb2dc754d73d56400b2e2b71 /doc | |
| parent | 896e4fef30ab773fd06f531276ac954992d11657 (diff) | |
CRL reason code docs.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/apps/ca.pod | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index c2ca8f2400..f50fe9c8ed 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -13,6 +13,10 @@ B<openssl> B<ca> [B<-name section>] [B<-gencrl>] [B<-revoke file>] +[B<-crl_reason reason>] +[B<-crl_hold instruction>] +[B<-crl_compromise time>] +[B<-crl_CA_compromise time>] [B<-subj arg>] [B<-crldays days>] [B<-crlhours hours>] @@ -74,7 +78,7 @@ a single self signed certificate to be signed by the CA. =item B<-spkac filename> a file containing a single Netscape signed public key and challenge -and additional field values to be signed by the CA. See the B<NOTES> +and additional field values to be signed by the CA. See the B<SPKAC FORMAT> section for information on the required format. =item B<-infiles> @@ -214,6 +218,33 @@ the number of hours before the next CRL is due. a filename containing a certificate to revoke. +=item B<-crl_reason reason> + +revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>, +B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>, +B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case +insensitive. Setting any revocation reason will make the CRL v2. + +In practive B<removeFromCRL> is not particularly useful because it is only used +in delta CRLs which are not currently implemented. + +=item B<-crl_hold instruction> + +This sets the CRL revocation reason code to B<certificateHold> and the hold +instruction to B<instruction> which must be an OID. Although any OID can be +used only B<holdInstructionNone> (the use of which is discouraged by RFC2459) +B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used. + +=item B<-crl_compromise time> + +This sets the revocation reason to B<keyCompromise> and the compromise time to +B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>. + +=item B<-crl_CA_compromise time> + +This is the same as B<crl_compromise> except the revocation reason is set to +B<CACompromise>. + =item B<-subj arg> supersedes subject name given in the request. @@ -527,9 +558,6 @@ if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current CRL: however there is no option to do this. -CRL entry extensions cannot currently be created: only CRL extensions -can be added. - V2 CRL features like delta CRL support and CRL numbers are not currently supported. |